Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    78s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/03/2023, 14:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18c79cb75b6c6ff5decbac074fbf185cd7bd3d447eff2a8b98d497bb9d20956b.exe

  • Size

    536KB

  • MD5

    590cb7e81d36ef373ab1deaf45d60a23

  • SHA1

    a30184f197b4c81ebadd535d2c944ae72877ca03

  • SHA256

    18c79cb75b6c6ff5decbac074fbf185cd7bd3d447eff2a8b98d497bb9d20956b

  • SHA512

    75d0628fbfd14cca95ee81cc428c57aa8348576b3f158aa542ce73c5fd973baea0d5bcf336ba713ac12796e56233be9f96a0a74cab01441aaf1d1cc4fa182060

  • SSDEEP

    12288:CMrPy90FKd7qVTjI0V1G32dmYiCLSxiqkQB:pym5V40VY32dziCFbQB

Score
10/10
redlineformarumfadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rumfa

C2

193.233.20.24:4123

Attributes
  • auth_value

    749d02a6b4ef1fa2ad908e44ec2296dc

Extracted

Family

redline

Botnet

forma

C2

193.233.20.24:4123

Attributes
  • auth_value

    50b8e065d7cb1e9e30786f7a370368f9

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18c79cb75b6c6ff5decbac074fbf185cd7bd3d447eff2a8b98d497bb9d20956b.exe
    "C:\Users\Admin\AppData\Local\Temp\18c79cb75b6c6ff5decbac074fbf185cd7bd3d447eff2a8b98d497bb9d20956b.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3768
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vpW6807aL.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vpW6807aL.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4608
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw09bx46IF92.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw09bx46IF92.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:488
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tuI54MV25.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tuI54MV25.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:696
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 1356
          4⤵
          • Program crash
          PID:4300
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uCV14bW38.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uCV14bW38.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4884
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 696 -ip 696
    1⤵
      PID:4936

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uCV14bW38.exe
      Filesize

      177KB

      MD5

      ad1bf1c5b167a3fdd9e654c3dc1b506e

      SHA1

      f40f231d86b8c764296228ce6ccb4bb0fd3ba279

      SHA256

      19eb9333ba131a925a286514f5143f0bf4c8269d2bba19553dc70d3bbfacb893

      SHA512

      16e7b4182c600a2efda29fac4338ca9a88063e9e338dd5eedd73d411fef78deb5320aef690d5dc4e5c52e197364b4401260d90ce5d9bae02c2a6e47ebd6578e8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uCV14bW38.exe
      Filesize

      177KB

      MD5

      ad1bf1c5b167a3fdd9e654c3dc1b506e

      SHA1

      f40f231d86b8c764296228ce6ccb4bb0fd3ba279

      SHA256

      19eb9333ba131a925a286514f5143f0bf4c8269d2bba19553dc70d3bbfacb893

      SHA512

      16e7b4182c600a2efda29fac4338ca9a88063e9e338dd5eedd73d411fef78deb5320aef690d5dc4e5c52e197364b4401260d90ce5d9bae02c2a6e47ebd6578e8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vpW6807aL.exe
      Filesize

      391KB

      MD5

      fbd6abfc5b371c07c862f608e939c30b

      SHA1

      91e8155f646cdcae00fb38b6771aa7518f606023

      SHA256

      5c7b228f1d969c714ec7939f031ca441e74bfb192cf983ca80817f391832486f

      SHA512

      174cc3608db4074fe0d895d504371657d1bd82da48dfbacc95d173ded03ddd32d3acf10af34fffed4695aacf165577a80570187246205bba518d52b660e7580e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vpW6807aL.exe
      Filesize

      391KB

      MD5

      fbd6abfc5b371c07c862f608e939c30b

      SHA1

      91e8155f646cdcae00fb38b6771aa7518f606023

      SHA256

      5c7b228f1d969c714ec7939f031ca441e74bfb192cf983ca80817f391832486f

      SHA512

      174cc3608db4074fe0d895d504371657d1bd82da48dfbacc95d173ded03ddd32d3acf10af34fffed4695aacf165577a80570187246205bba518d52b660e7580e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw09bx46IF92.exe
      Filesize

      17KB

      MD5

      fcaf81a81064a8a8487c4624532eba33

      SHA1

      11d6c35c3b4e0b23c3fd9594318707fd1271833b

      SHA256

      6e2f7abcf13dcda5e398861fffa4e47be21ca567bc11794559c03f2965753699

      SHA512

      eb6cace4f7728b03d636e58a4cf5bc79defb8b74a0b49ac600551631fcf10e421b901d636b4ffb3439562bc6d71b2c48c4b4934f7a238c2b6fcc1252171bf1e1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw09bx46IF92.exe
      Filesize

      17KB

      MD5

      fcaf81a81064a8a8487c4624532eba33

      SHA1

      11d6c35c3b4e0b23c3fd9594318707fd1271833b

      SHA256

      6e2f7abcf13dcda5e398861fffa4e47be21ca567bc11794559c03f2965753699

      SHA512

      eb6cace4f7728b03d636e58a4cf5bc79defb8b74a0b49ac600551631fcf10e421b901d636b4ffb3439562bc6d71b2c48c4b4934f7a238c2b6fcc1252171bf1e1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tuI54MV25.exe
      Filesize

      304KB

      MD5

      ad61b513e0bbc3784d0c28ba13ab19ff

      SHA1

      0d86785da45331516385d7d72e18457e32b89aed

      SHA256

      5e58f65612a82a7a2a61a80f45d1cc0d756372bc05a8160e1d962270d2e1b037

      SHA512

      80d72ceb8b82f962a85381078abf4826412537604ff74749d05ff926f79ca143107219d217520050561b09675b04bfef14ddee37b2dc4818a84bf04c785afe0a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tuI54MV25.exe
      Filesize

      304KB

      MD5

      ad61b513e0bbc3784d0c28ba13ab19ff

      SHA1

      0d86785da45331516385d7d72e18457e32b89aed

      SHA256

      5e58f65612a82a7a2a61a80f45d1cc0d756372bc05a8160e1d962270d2e1b037

      SHA512

      80d72ceb8b82f962a85381078abf4826412537604ff74749d05ff926f79ca143107219d217520050561b09675b04bfef14ddee37b2dc4818a84bf04c785afe0a

      Download Submit

    • memory/488-147-0x0000000000190000-0x000000000019A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/696-153-0x00000000006F0000-0x000000000073B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/696-154-0x0000000004D40000-0x0000000004D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/696-155-0x0000000004D40000-0x0000000004D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/696-156-0x0000000004D50000-0x00000000052F4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/696-157-0x0000000004C70000-0x0000000004CAE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/696-158-0x0000000004C70000-0x0000000004CAE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/696-160-0x0000000004C70000-0x0000000004CAE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/696-162-0x0000000004C70000-0x0000000004CAE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/696-164-0x0000000004C70000-0x0000000004CAE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/696-166-0x0000000004C70000-0x0000000004CAE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/696-168-0x0000000004C70000-0x0000000004CAE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/696-170-0x0000000004C70000-0x0000000004CAE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/696-172-0x0000000004C70000-0x0000000004CAE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/696-174-0x0000000004C70000-0x0000000004CAE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/696-176-0x0000000004C70000-0x0000000004CAE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/696-178-0x0000000004C70000-0x0000000004CAE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/696-180-0x0000000004C70000-0x0000000004CAE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/696-182-0x0000000004C70000-0x0000000004CAE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/696-184-0x0000000004C70000-0x0000000004CAE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/696-186-0x0000000004C70000-0x0000000004CAE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/696-188-0x0000000004C70000-0x0000000004CAE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/696-190-0x0000000004C70000-0x0000000004CAE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/696-192-0x0000000004C70000-0x0000000004CAE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/696-194-0x0000000004C70000-0x0000000004CAE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/696-196-0x0000000004C70000-0x0000000004CAE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/696-198-0x0000000004C70000-0x0000000004CAE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/696-200-0x0000000004C70000-0x0000000004CAE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/696-202-0x0000000004C70000-0x0000000004CAE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/696-204-0x0000000004C70000-0x0000000004CAE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/696-206-0x0000000004C70000-0x0000000004CAE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/696-208-0x0000000004C70000-0x0000000004CAE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/696-210-0x0000000004C70000-0x0000000004CAE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/696-212-0x0000000004C70000-0x0000000004CAE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/696-214-0x0000000004C70000-0x0000000004CAE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/696-216-0x0000000004C70000-0x0000000004CAE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/696-218-0x0000000004C70000-0x0000000004CAE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/696-220-0x0000000004C70000-0x0000000004CAE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/696-1063-0x0000000005300000-0x0000000005918000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/696-1064-0x0000000005970000-0x0000000005A7A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/696-1065-0x0000000005AB0000-0x0000000005AC2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/696-1066-0x0000000005AD0000-0x0000000005B0C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/696-1067-0x0000000004D40000-0x0000000004D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/696-1069-0x0000000004D40000-0x0000000004D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/696-1070-0x0000000004D40000-0x0000000004D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/696-1071-0x0000000005DC0000-0x0000000005E52000-memory.dmp

      Filesize

      584KB

      Download

    • memory/696-1072-0x0000000005E60000-0x0000000005EC6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/696-1073-0x0000000006580000-0x00000000065F6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/696-1074-0x0000000006600000-0x0000000006650000-memory.dmp

      Filesize

      320KB

      Download

    • memory/696-1075-0x0000000006780000-0x0000000006942000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/696-1076-0x0000000006950000-0x0000000006E7C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/696-1077-0x0000000004D40000-0x0000000004D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4884-1083-0x0000000000640000-0x0000000000672000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4884-1084-0x0000000004F20000-0x0000000004F30000-memory.dmp

      Filesize

      64KB

      Download